Bybit’s $1.5 Billion Theft Unveiled: Safe{Wallet} Front-End Code Tampered
Author: 23pds & Thinking
Editor: Liz
Background
On the evening of February 26, Bybit and Safe simultaneously released security investigation reports regarding the theft of nearly $1.5 billion worth of cryptocurrency from Bybit.
Safe stated:
The forensic analysis of the targeted attack launched by Lazarus Group against Bybit indicates that the attackers infiltrated a Safe{Wallet} developer’s machine, allowing them to submit a disguised malicious transaction proposal. This deception led Bybit’s Safe wallet owner to sign the malicious transaction, enabling the attack on Bybit’s Safe wallet.
Forensic analysis conducted by external security researchers did not identify any vulnerabilities in the source code of Safe’s smart contracts, front-end, or related services. Following the incident, the Safe{Wallet} team conducted a thorough investigation and gradually restored Safe{Wallet} on the Ethereum mainnet. The team has fully rebuilt and reconfigured all infrastructure, rotated all credentials, and ensured that the attack vector has been completely eliminated. Once the final investigation results are available, the Safe{Wallet} team will release a comprehensive post-mortem analysis.
The Safe{Wallet} front end remains operational with additional security measures in place. However, users should exercise extreme caution and remain vigilant when signing transactions.
Bybit stated:
Attack Timing: The malicious code was injected into Safe{Wallet}’s AWS S3 bucket on February 19, 2025, and was triggered on February 21, 2025, when Bybit executed a multisig transaction, leading to the theft of funds.
Attack Method: The attackers modified Safe{Wallet}’s front-end JavaScript files, injecting malicious code to alter Bybit’s multisig transactions, redirecting funds to the attacker’s address.
Attack Target: The malicious code specifically targeted Bybit’s multisig cold wallet address and a test address, activating only under certain conditions.
Post-Attack Actions: Approximately two minutes after the malicious transaction was executed, the attackers removed the malicious code from the AWS S3 bucket to cover their tracks.
Investigation Conclusion: The attack originated from Safe{Wallet}’s AWS infrastructure, likely due to an S3 CloudFront account or API key leak or compromise. Bybit’s own infrastructure was not breached.
The U.S. Federal Bureau of Investigation (FBI) has issued an announcement confirming that the North Korean hacking group “TraderTraitor” (also known as Lazarus Group) was behind the cyberattack on Bybit exchange on February 21. This attack resulted in the theft of $1.5 billion worth of crypto assets.
Review and Analysis
As an external third-party security firm, SlowMist was not directly involved in the investigation but has been closely monitoring the developments.
On the morning of February 26, during an internal review of the attack, SlowMist CISO 23pds noticed that Safe had been making various modifications to its frontend and related code since the attack occurred on February 21. As a result, 23pds shared part of the analysis on X and immediately informed SlowMist security team lead Thinking to follow up:
[Link to JavaScript code history changes]
https://app.safe.global/_next/static/chunks/pages/_app-52c9031bfa03da47.js
We first used urlscan to capture changes to app.safe.global over the past few months and found that only the file “_app-52c9031bfa03da47.js” had been modified.
So, we analyzed the changes to this file using archive:
As shown in the image:
The malicious contract address used by the attacker in this hack has been identified as:
0xbdd077f651ebe7f7b3ce16fe5f2b025be2969516
The analysis of the “_app-52c9031bfa03da47.js” JavaScript code is as follows:
Overall Attack Flowchart
Coincidentally, during our analysis, Safe and Bybit released their investigation reports last night, bringing this incident to a definitive conclusion, which is undoubtedly a good outcome. It is now confirmed that the theft of nearly $1.5 billion in cryptocurrency from Bybit was a meticulously planned, targeted attack. This incident highlights hackers’ ability to precisely exploit development environments and supply chains, underscoring the critical importance of frontend code control.
The attackers first gained control over the frontend code of app.safe.global and then launched a targeted attack against Bybit’s Safe{Wallet}. When Bybit’s multisig Owner used app.safe.global to sign transactions, the Safe{Wallet} interface displayed a normal address. However, the actual transaction content was replaced with malicious data before submission, tricking the Owner into signing the altered transaction. As a result, the attackers successfully took control of Bybit’s multisig wallet contract and executed the theft.
How can we better protect cryptocurrency assets in this “blockchain dark forest”? Beyond conducting security audits, additional defense measures are essential to mitigate risks. SlowMist’s MistEye (https://misteye.io/) provides comprehensive Web3 threat intelligence and real-time security monitoring, including:
- Cryptocurrency APT Intelligence: Unveiling Lazarus Group’s Intrusion Techniques
- Frontend Code and DNS Change Monitoring
- Smart Contract Project Security Monitoring
Additionally, Web3 projects, particularly infrastructure providers, must prioritize supply chain security. For more security recommendations, refer to SlowMist: The Ultimate Guide to Supply Chain Security in the Web3 Industry.
About SlowMist
SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as HashKey Exchange, OSL, MEEX, BGE, BTCBOX, Bitget, BHEX.SG, OKX, Binance, HTX, Amber Group, Crypto.com, etc.
SlowMist offers a variety of services that include but are not limited to security audits, threat information, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) software, MistEye (Security Monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, RC², TianJi Partners, IPIP, etc. Our extensive work in cryptocurrency crime investigations has been cited by international organizations and government bodies, including the United Nations Security Council and the United Nations Office on Drugs and Crime.
By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we could spread awareness and raise the security standards in the blockchain ecosystem.
